Abstract: Techniques for dynamic routing based on application load are described herein. The techniques may include receiving load information associated with resources of an application orchestration system that are allocated to host an application, the resources associated with different geographical regions. Based at least in part on the load information, a network controller may determine that first resources of the application orchestration system are less constrained than second resources of the application orchestration system, the first resources associated with a first geographical region and the second resources associated with a second geographical region. Based at least in part on the first resources being less constrained than the second resources, application traffic may be routed through the network to the application hosted by the first resources in the first geographical region.

Abstract: Techniques for steering overlay network traffic along specific paths through an underlay network. The techniques may include determining a path through an underlay network that is optimized for sending a packet from a first node of an overlay network to a second node of the overlay network. The techniques may also include determining a destination address for sending the packet along the path from the first node to the second node, the destination address including a micro segment identifier (uSID) corresponding with an underlay node that is disposed along the path through the underlay network and trailing bits representing a portion of an address that corresponds with the second node. The techniques may also include causing the packet to be modified to include the destination address such that the packet is sent from the first node to the second node along the path.

Abstract: Techniques for tracking compute capacity of a scalable application service platform to perform dynamic bandwidth allocation for data flows associated with applications hosted by the service platform are disclosed. Some of the techniques may include allocating a first amount of bandwidth of a physical underlay of a network for data flows associated with an application. The techniques may also include receiving, from a scalable application service hosting the application, an indication of an amount of computing resources of the scalable application service that are allocated to host the application. Based at least in part on the indications, a second amount of bandwidth of the physical underlay to allocate for the data flows may be determined. The techniques may also include allocating the second amount of bandwidth of the physical underlay of the network for the data flows associated with the application.

Abstract: Techniques for tracking compute capacity of a scalable application service platform to perform dynamic bandwidth allocation for data flows associated with applications hosted by the service platform are disclosed. Some of the techniques may include allocating a first amount of bandwidth of a physical underlay of a network for data flows associated with an application. The techniques may also include receiving, from a scalable application service hosting the application, an indication of an amount of computing resources of the scalable application service that are allocated to host the application. Based at least in part on the indications, a second amount of bandwidth of the physical underlay to allocate for the data flows may be determined. The techniques may also include allocating the second amount of bandwidth of the physical underlay of the network for the data flows associated with the application.

Abstract: Techniques for extending network elements to inspect, extract, and complement tracing information added to L7 flows by application distributed tracing systems. The techniques may include receiving a Layer-7 (L7) message of an L7 flow associated with a distributed application and determining that the L7 message includes tracing information. In some examples, the tracing information may be mapped to a marking that is to be included in a Layer 3 (L3) or Layer-4 (L4) packet carrying the L7 message, and the L3 or L4 packet including the marking may be sent to an L3 or L4 network element. In some examples, the L3 or L4 network element may be configured to utilize the marking to determine a network decision for the L3 or L4 packet.

Abstract: Techniques are described for extending a cellular quality of service bearer through an enterprise fabric network. In one example, a method obtaining, by a first switch of a network, a packet to be delivered to a client connected to the network via a cellular access point; identifying quality of service (QoS) bearer information associated with the packet, wherein the QoS bearer information is associated with a radio access bearer for the client and the QoS bearer information comprises a bearer indicator and a QoS class identifier; providing a fabric tunnel encapsulation for the packet, wherein the bearer indicator and the QoS class identifier are included within the fabric tunnel encapsulation of the packet; and forwarding the packet within the fabric tunnel encapsulation toward a second switch of the network via a fabric tunnel, wherein the cellular access point is connected to the network via the second switch.

Abstract: Techniques for enabling a network access provider to make automatic Software as a Service (SaaS) optimization decisions. Among other things, the techniques may include determining a SaaS application that is being accessed by client endpoints via flows through a network access provider. The techniques may also include determining, based at least in part on a policy associated with the network access provider, whether to enable network optimizations for traffic through the network access provider to the SaaS application. Based at least in part on a determination that the network optimizations are to be enabled for the traffic to the SaaS application, the techniques may include installing a service definition associated with the SaaS application in a service policy database of the network access provider.

Abstract: Techniques for providing a standardized interface that is configured to provide application developers with ways for interacting with different wide area network controllers. A standardized interface may include an application programming interface (API) server that can receive a connectivity request associated with an application that is to be hosted on an application orchestration system. The API server may determine, based at least in part on the connectivity request, a vendor network to be used by the application to send traffic to a remote service. Based at least in part on determining the vendor network, the API server may translate the connectivity request into a first format that is understandable by a controller of the vendor network. The API server may also provide the connectivity request in the first format to the controller of the vendor network such that a path through the vendor network can be determined.

Abstract: Techniques for using application network requirements and/or telemetry information from a first networking technology to enhance operation of a second networking technology and optimize wide area network traffic are described herein. The techniques may include establishing a communication network for use by applications of a scalable application service platform, the communication network including a first networking technology and a second networking technology. In this way, a request to establish a connection for use by an application may be received by the first networking technology. The request may include an indication of a threshold service level of the connection. In response to the request, the first networking technology may determine whether the second networking technology is capable of hosting the connection.

Abstract: Disclosed are systems and methods for providing policy selection in a software defined network. An example method includes registering, by an enterprise controller on an enterprise domain, in a shared mapping system on a service provider domain, one or more entries specifying one or more services for one or more classes of traffic to yield registered entries, reading, by a service provider controller, from the shared mapping system, the registered entries, posting, by the service provider controller, the one or more entries to one or more routing tables at a software-defined wide area network of the service provider domain and receiving a request, by a mobile node on the enterprise domain, of a specific service for a particular class of packets according to a classification of the particular class of packets based on a particular label defined in the registered entries for the specific service.

Abstract: Techniques are described for extending a cellular quality of service bearer through an enterprise fabric network. In one example, a method obtaining, by a first switch of a network, a packet to be delivered to a client connected to the network via a cellular access point; identifying quality of service (QoS) bearer information associated with the packet, wherein the QoS bearer information is associated with a radio access bearer for the client and the QoS bearer information comprises a bearer indicator and a QoS class identifier; providing a fabric tunnel encapsulation for the packet, wherein the bearer indicator and the QoS class identifier are included within the fabric tunnel encapsulation of the packet; and forwarding the packet within the fabric tunnel encapsulation toward a second switch of the network via a fabric tunnel, wherein the cellular access point is connected to the network via the second switch.

Abstract: Techniques for using proxies with overprovisioned IP addresses to demultiplex data flows, which may otherwise look the same at L7, into multiple subflows for L3 policy enforcement without having to modify an underlying L3 network. The techniques may include establishing a subflow through a network between a first proxy and a second proxy, the subflow associated with a specific policy. In some examples, the first proxy node may receive an encrypted packet that is to be sent through the network and determine, based at least in part on accessing an encrypted application layer of the packet, a specific application to which the packet is to be sent. The first proxy node may then alter an IP address included in the packet to cause the packet to be sent through the network via the subflow such that the packet is handled according to the specific policy.

Abstract: Techniques for automating traffic optimizations for egress traffic of an application orchestration system that is being sent over a network to a remote service. In examples, the techniques may include receiving, at a controller of the network, an egress traffic definition associated with egress traffic of an application hosted on the application orchestration system, the egress traffic definition indicating that the egress traffic is to be sent to the remote service. Based at least in part on the egress traffic definition, the controller may determine a networking path through the network or outside of the network that is optimized for sending the egress traffic to the remote service. The controller may also cause the egress traffic to be sent to the remote service via the optimized networking path.

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

Abstract: In one embodiment, a device of a software-defined wide area network (SD-WAN) receives, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application. The device translates the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the cloud-native application. The device applies the network policy to a traffic flow in the SD-WAN between an endpoint and a particular microservice of the cloud-native application.

Abstract: In one embodiment, a device of a software-defined wide area network (SD-WAN) receives, from a cloud-native application, contextual data for the cloud-native application that identifies microservices of the cloud-native application. The device translates the contextual data for the cloud-native application into a network policy for traffic in the SD-WAN associated with the cloud-native application. The device applies the network policy to a traffic flow in the SD-WAN between an endpoint and a particular microservice of the cloud-native application.

Abstract: A method includes generating, by an internal segmentation orchestrator, a key to cipher/decipher a cryptographic segmentation tag used by an untrusted device, transmitting the key to an external segmentation orchestrator, transmitting the cryptographic segmentation tag to the external segmentation orchestrator and provisioning a trusted network edge with the key and optionally the cryptographic segmentation tag. The method can also include onboarding, based on the key and the cryptographic segmentation tag, the untrusted device, wherein the untrusted device receives the cryptographic segmentation tag from the external segmentation orchestrator.

Abstract: Techniques for providing network traffic security in a virtualized environment are described. A threat aware controller uses a threat feed provided by a threat intelligence service to establish a threat detection engine on virtual switches. The threat aware controller and threat detection engine work together to detect any anomalous or malicious behavior of network traffic on the virtual switch and established virtual network functions to quickly detect, verify, and isolate network threats.

Abstract: Techniques for using application network requirements and/or telemetry information from a first networking technology to enhance operation of a second networking technology and optimize wide area network traffic are described herein. The techniques may include establishing a communication network for use by applications of a scalable application service platform, the communication network including a first networking technology and a second networking technology. In this way, a request to establish a connection for use by an application may be received by the first networking technology. The request may include an indication of a threshold service level of the connection. In response to the request, the first networking technology may determine whether the second networking technology is capable of hosting the connection.

Abstract: Techniques are described for extending a cellular quality of service bearer through an enterprise fabric network. In one example, a method obtaining, by a first switch of a network, a packet to be delivered to a client connected to the network via a cellular access point; identifying quality of service (QoS) bearer information associated with the packet, wherein the QoS bearer information is associated with a radio access bearer for the client and the QoS bearer information comprises a bearer indicator and a QoS class identifier; providing a fabric tunnel encapsulation for the packet, wherein the bearer indicator and the QoS class identifier are included within the fabric tunnel encapsulation of the packet; and forwarding the packet within the fabric tunnel encapsulation toward a second switch of the network via a fabric tunnel, wherein the cellular access point is connected to the network via the second switch.